Meraki

Community

Radius and silent devices

ChristophW
Here to help
‎Oct 24 2023 1:39 AM
‎Oct 24 2023 1:39 AM

Radius and silent devices

Hello together,

 

unfortunately i do not find any information how meraki handles the vlan association with silent devices.
For example i have an printer which gets send to VLAN 111 on an Port with Radius-Authentication and Access-VLAN 1.

The printer goes into sleep-mode and does not send any packets.
Now someone wants to print something on this printer and needs to contact the printer in vlan 111.
Does the switch forgets the VLAN-Association on the port where the printer got connected with the mac-aging-time?

Thanks everyone.

0 Kudos
12 Replies 12
alemabrahao
Kind of a big deal
‎Oct 24 2023 4:36 AM
‎Oct 24 2023 4:36 AM

Have you checked the logs on the Radius server to validate that the device is still authenticated? I could be wrong but I think this is the expected behavior when the printer goes into sleep mode.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
ChristophW
Here to help
‎Oct 24 2023 5:12 AM
‎Oct 24 2023 5:12 AM

Have to check. But the main question is, if arp requests still reaches the printer because it should stay authenticated and associated to the vlan when it was authenticated in the past.

0 Kudos
In response to ChristophW
alemabrahao
Kind of a big deal
‎Oct 30 2023 5:56 PM
‎Oct 30 2023 5:56 PM

802.1X Control Direction (Wake-on-LAN support)

802.1X Control Direction is set by default to "both" directions. In this mode, the switch port doesn't allow ingress or egress traffic through the switch port until after the port is authorized via 802.1X or MAB authentication. Control Direction can also be set to "inbound-only", in which case the switch port doesn't allow ingress traffic, but will allow limited egress traffic from the network through the switch port to reach the connected device. This is often used to allow Wake-on-LAN magic packets to wake a sleeping host on the connected port, at which point the host can attempt a normal 802.1X or MAB authentication to authorize the switch port for full ingress and egress traffic.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 24 2023 5:01 AM
‎Oct 24 2023 5:01 AM

Depending on the auth mode used , have you configured a re-auth timer ? Else the port stays authenticated until there is a port status change or if the Radius server sends a CoA imo.

In response to RaphaelL
ChristophW
Here to help
‎Oct 24 2023 5:10 AM
‎Oct 24 2023 5:10 AM

No re-auth-timer is configured. I know from other vendors, that if the mac-address ages out, the association of the port to the specific vlan is delete also.

I have to test if some problems occur. But maybe someone has some experience in this scenario.

0 Kudos
In response to ChristophW
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 24 2023 5:18 AM
‎Oct 24 2023 5:18 AM

the association of the port to the specific vlan is delete also

 

Are you doing dynamic vlan ? I wouldn't expect the port to return to it's default vlan unless there's a port status change or CoA.

 

I do expect the MAC flushed from the CAM if it ages out, but that shouldn't really pose a problem.

In response to RaphaelL
ChristophW
Here to help
‎Oct 24 2023 5:21 AM
‎Oct 24 2023 5:21 AM

We use dynamic vlan, right. I know alcatel-lucent works in the way that it deletes the vlan from the port when the mac ages out. Thats the whole problem i see if meraki does that too, noone can communicate to the device anymore.

0 Kudos
BillyC
Here to help
‎Oct 30 2023 9:37 AM
‎Oct 30 2023 9:37 AM

I have a deployment with 350 Meraki switches using Cisco ISE 3.2 for dynamic VLAN assignment and no issues with VLAN association for silent devices (printers).  

 

In the Access Policy settings I have "802.1x Control Direction" set to "inbound-only". I also have re-authentication set to 12 hours.  The "inbound-only" setting allows the printer to "hear" arp requests and receive print jobs from the printer server.  An authentication, if needed, is only triggered when the printer responds to requests.

 

I have done numerous deployments of ISE with Cisco switches. This is my first deployment of ISE with Meraki devices. Without the "inbound-only" setting, or equivalent on Catalyst switches, the printer never generates traffic to initiate authentication and also never receives traffic.

In response to BillyC
RaphaelL
Kind of a big deal
Kind of a big deal
‎Oct 30 2023 6:44 PM
‎Oct 30 2023 6:44 PM

Quick question. Multi-auth doesn't support a re-auth timer. In that case , 802.1x Control Direction "inbound-only" wouldn't change anything right ?

 

Also , considering that the end device uses DHCP , having DHCP renews shorter than your re-auth timer would also fix it ? I would assume so

0 Kudos
In response to RaphaelL
ChristophW
Here to help
‎Oct 30 2023 11:55 PM
‎Oct 30 2023 11:55 PM

Thank you two for the informations. @BillyC Are your printers running DHCP? unfortunately my customer does not run DHCP on their printers. So when they are "silent" there is no traffic from them until they get used.

0 Kudos
In response to ChristophW
BillyC
Here to help
‎Nov 2 2023 2:30 PM
‎Nov 2 2023 2:30 PM

The printers have been a mix of DHCP and Static. This is being deployed in a new building with printers initially using DHCP then later they are reconfigured for static.

 

For the re-auth, I have the ISE server send radius-request for 43,200 seconds (12 hours).

0 Kudos
Bucket
Getting noticed
‎Nov 9 2023 4:04 AM
‎Nov 9 2023 4:04 AM

The only way do deal with silent devices is by either configure the device to use DHCP or to set the access VLAN to the VLAN the device should be in, and make sure that control direction is only out in the access-policy. This way the traffic should be able to reach the device, and the return traffic should trikker authentication.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.